Google has significantly degraded NetNut, one of the biggest networks that turns home devices into rented relays for other people’s traffic.
Working with the FBI, Lumen, and others, Google’s Threat Intelligence Group (GTIG) said this week it had reduced the network’s pool of usable devices by millions.
Google identifies NetNut, also tracked as Popa, as a network spread across home devices worldwide, including smart TVs and streaming boxes, and GTIG estimates the network holds at least 2 million devices.
If one of those devices is in your home, strangers can route their own traffic through your internet connection, and your address gets the blame for whatever they do with it.
How It Works
A residential proxy network sells access to real home internet addresses. Attackers pay to route their traffic through your connection so it looks like ordinary home browsing, not the datacenter traffic that security tools tend to block.
To build that pool, operators need their code running on home devices. Some devices ship with it pre-installed on cheap off-brand hardware; others pick it up when someone installs a free app that hides it. Once it is running, the device becomes an “exit node,” a doorway that other people’s traffic flows through.
Google says an exit node brings outside traffic inside the home network, giving attackers a foothold to reach other devices on it. Some of these home gadgets have also been pulled into large attack botnets such as Mirai and Badbox 2.0.
In a single week in June, GTIG counted 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups, to hide their real location and run password-guessing attacks.
The Company Behind It
Unlike most proxy botnets, NetNut traces back to a public company. In June, researchers at Qurium, Synthient, Nokia Deepfield, and Spur tied Popa to NetNut.
NetNut is a proxy provider owned by publicly traded Israeli company Alarum Technologies (NASDAQ: ALAR). In a controlled test, Synthient said traffic it sent into NetNut’s commercial gateway came out through a device it had enrolled in Popa.
Synthient framed that as evidence of the traffic path, not proof of what NetNut knew or intended. Google’s own intelligence aligns: it treats NetNut and Popa as the same network, and says the public reporting matches its view of how NetNut builds its botnet. The Hacker News covered the researchers’ findings when they were published.
Alarum rejects the “botnet” label. It calls the research “demonstrably inaccurate assertions and flawed deductions rather than verified facts,” and says its software is for consented bandwidth-sharing that does not compromise the devices it runs on.
The researchers’ testing complicates that defense: Synthient reported that none of the more than 20 apps it examined actually showed users a consent prompt.
Why One Takedown Isn’t Enough
Cutting off NetNut is messy…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]



